[Webkit-unassigned] [Bug 35688] New: expandUseElementsInShadowTree infinite recursion stack exhaustion.

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Mar 3 07:54:38 PST 2010 

https://bugs.webkit.org/show_bug.cgi?id=35688

           Summary: expandUseElementsInShadowTree infinite recursion stack
                    exhaustion.
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
               URL: http://code.google.com/p/chromium/issues/detail?id=372
                    87
        OS/Version: Windows Vista
            Status: NEW
          Severity: Normal
          Priority: P3
         Component: SVG
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: skylined at chromium.org
                CC: eric at webkit.org


Repro:
  <svg xmlns="http://www.w3.org/2000/svg">
  <g id="foo">
  <svg xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xl="http://www.w3.org/1999/xlink">
  <use xl:href="#foo"/>
  <g id="bar" />
  <use xlink:href="#bar" />

This causes infinite recursion in expandUseElementsInShadowTree, which leads to
stack exhaustion. Below is the code, as you can see, it calls itself in two
locations. The 
bottom one seems to be the culprit in this case:

http://svn.webkit.org/repository/webkit/trunk/WebCore/svg/SVGUseElement.cpp?r=55462
void SVGUseElement::expandUseElementsInShadowTree(SVGShadowTreeRootElement*
shadowRoot, Node* element)
{
    // Why expand the <use> elements in the shadow tree here, and not just
    // do this directly in buildShadowTree, if we encounter a <use> element?
    //
    // Short answer: Because we may miss to expand some elements. Ie. if a
<symbol>
    // contains <use> tags, we'd miss them. So once we're done with settin' up
the
    // actual shadow tree (after the special case modification for svg/symbol)
we have
    // to walk it completely and expand all <use> elements.
    if (element->hasTagName(SVGNames::useTag)) {
        SVGUseElement* use = static_cast<SVGUseElement*>(element);

        String id = SVGURIReference::getTarget(use->href());
        Element* targetElement = document()->getElementById(id); 
        SVGElement* target = 0;
        if (targetElement && targetElement->isSVGElement())
            target = static_cast<SVGElement*>(targetElement);

        // Don't ASSERT(target) here, it may be "pending", too.
        if (target) {
            // Setup sub-shadow tree root node
            RefPtr<SVGShadowTreeContainerElement> cloneParent = new
SVGShadowTreeContainerElement(document());

            // Spec: In the generated content, the 'use' will be replaced by
'g', where all attributes from the
            // 'use' element except for x, y, width, height and xlink:href are
transferred to the generated 'g' element.
            transferUseAttributesToReplacedElement(use, cloneParent.get());

            ExceptionCode ec = 0;

            // For instance <use> on <foreignObject> (direct case).
            if (isDisallowedElement(target)) {
                // We still have to setup the <use> replacment (<g>).
Otherwhise
                // associateInstancesWithShadowTreeElements() makes wrong
assumptions.
                // Replace <use> with referenced content.
                ASSERT(use->parentNode()); 
                use->parentNode()->replaceChild(cloneParent.release(), use,
ec);
                ASSERT(!ec);
                return;
            }

            RefPtr<Element> newChild = target->cloneElementWithChildren();

            // We don't walk the target tree element-by-element, and clone each
element,
            // but instead use cloneElementWithChildren(). This is an
optimization for the common
            // case where <use> doesn't contain disallowed elements (ie.
<foreignObject>).
            // Though if there are disallowed elements in the subtree, we have
to remove them.
            // For instance: <use> on <g> containing <foreignObject> (indirect
case).
            if (subtreeContainsDisallowedElement(newChild.get()))
                removeDisallowedElementsFromSubtree(newChild.get());

            SVGElement* newChildPtr = 0;
            if (newChild->isSVGElement())
                newChildPtr = static_cast<SVGElement*>(newChild.get());
            ASSERT(newChildPtr);

            cloneParent->appendChild(newChild.release(), ec);
            ASSERT(!ec);

            // Replace <use> with referenced content.
            ASSERT(use->parentNode()); 
            use->parentNode()->replaceChild(cloneParent.release(), use, ec);
            ASSERT(!ec);

            // Immediately stop here, and restart expanding.
            expandUseElementsInShadowTree(shadowRoot, shadowRoot);
            return;
        }
    }

    for (RefPtr<Node> child = element->firstChild(); child; child =
child->nextSibling())
        expandUseElementsInShadowTree(shadowRoot, child.get());
}

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list